How can I delete CTR data from Amazon Connect Contact Search for GDPR compliance?

Amazon Connect manages Contact Trace Records (CTRs) based on a system-wide retention policy rather than manual intervention. By default, CTRs are stored and remain visible in the Contact Search UI for 24 months. See -> https://docs.aws.amazon.com/connect/latest/adminguide/ctr-data-model.html

So, even after deleting associated S3 files (transcripts/recordings) and the Customer Profile, the "metadata" of the call (timestamp, duration, queue, and Contact ID) remains indexed until the retention period expires.

My personal understanding NOT as a lawyer or data protection officer: While the CTR cannot be deleted, overwriting its attributes satisfies GDPR's "Right to Erasure" by effectively "anonymizing" the record. Once the Customer Profile is removed and the Contact Attributes are scrubbed, the remaining metadata (ID, timestamp) no longer constitutes 'Personal Data' under GDPR, as the individual is no longer identifiable.

"4.1.3. Art. 6 Abs. 1 Buchst. c) i.V.m. Art. 17 Abs. 1 Buchst. a) DSGVO Soweit die personenbezogenen Daten der Pflicht zur unverzüglichen Löschung gemäß Art. 17 Abs. 1 Buchst. a) DSGVO unterfallen, können diese ggf. auch gemäß Art. 6 Abs. 1 Buchst. c) DSGVO anonymisiert werden. Dies ist unter der Prämisse möglich, dass die Löschverpflichtung auch durch die Anonymisierung erfüllt werden kann." (page 8 in the following PDF)." -> https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Konsultationsverfahren/1_Anonymisierung/Positionspapier-Anonymisierung.pdf

My understanding of how this can be fulfilled technically:

1. Scrub Personal Data (Contact Attributes)

Since the record itself cannot be deleted immediately, you must remove the PII (Personally Identifiable Information) within it.

• Action: Use the UpdateContactAttributes API to overwrite any customer-specific attributes for that ContactId with empty strings or a "DELETED" placeholder.
• Result: The record remains in the search results, but the sensitive data linked to it is gone.

https://docs.aws.amazon.com/cli/latest/reference/connect/update-contact-attributes.html https://docs.aws.amazon.com/connect/latest/APIReference/API_UpdateContactAttributes.html

2. Access Control (IAM Policies)

Restrict access to the "Contact Search" feature in the AWS Console. Once the PII is scrubbed and S3 files are deleted, the remaining metadata (call duration, date) is generally considered non-identifying technical data. Restricting who can see these "skeleton" records further reduces compliance risk.

3. Adjust Retention Periods

If 24 months is too long for your data privacy policy, you can try to contact AWS Support of if you have, your AWS Technical Account Manager (TAM) to request a shorter, global retention period for your instance’s CTRs (e.g., reducing it to 6 or 12 months). Please note that this change applies to all records in the instance, NOT just specific ones. However, I do not think AWS Support will do this, as they typically do not take on customer responsibilities.

There is also the following post on re:Post: https://repost.aws/knowledge-center/connect-troubleshoot-contact-records